The new generation of security for wireless networks doesn't simply fix WEP's flaws—it enables you to use your RADIUS server to authenticate wireless users.

Creating Certificates

For EAP-TLS, you need at least two certificates besides your CA
certificate, a server certificate for your FreeRADIUS server and one
client certificate for each wireless client on your network. Creating
certificates is a three-step process:

This command creates the files server_req.pem, which contains the
actual request—an unsigned certificate—and server_key.pem, its
passphrase-less private key. First, though, you are prompted for
your organization's Country Code, State and so on, much of which can
use the default values you tweaked in openssl.conf. Pay special
attention, however, to Common Name. When prompted for this,
type the fully qualified domain name of your server, for example,
server.wiremonkeys.org.

Next, let's use our CA key to sign the request by using OpenSSL's ca
command:

This command reads the file server_req.pem and, after prompting
for your CA key's passphrase, saves a signed version of
it plus its corresponding private key to the file server_cert.pem.
Notice the -extensions and -extfile options—this is why earlier we created
the file xpextensions.

Open your signed certificate with the text editor of your
choice and delete everything before the line -----BEGIN
CERTIFICATE-----. Concatenate it and your key into a single file,
like this:

$ cat server_key.pem server.cert.pem > \
server_keycert.pem

Now we've got a server certificate with a key that we can copy over to our
FreeRADIUS server. Its private key isn't password-protected,
however, so be sure to delete any extraneous copies after you've got it
in place.

Now we need to create a client certificate signing request. The
OpenSSL command to do this is similar to that used to create server
certificates:

As you can see, we're writing our signing request and key to the files
client_req.pem and client_key, respectively. Unlike with the server
signing requests, however, we're omitting the -nodes option. Therefore,
when you run this command, you are prompted for a passphrase with
which the certificate's private key can be encrypted.

Again, this is similar to the equivalent command for our server, except
this time the -extensions command references a different entry in xpextensions.
Also, if your clients run Linux, you should delete the
extraneous stuff in the certificate, like you did with server_cert.pem.
You then either can leave the certificate and key files separate or concatenate
them. From there, copy your client certificate file(s) to your Linux
client system.

If your certificate is to be used by a Windows XP client, you have one
more step to take. You need to convert the certificate file(s) to a PKCS12-format file,
with this command:

You are prompted for client_key.pem's passphrase and then for a new passphrase
for the new file; you can use the same password as before if you like.
You may be tempted simply to press Enter instead, especially given that the WPA
supplicant in Windows XP works only when you store its certificates
without passphrases. It's very, very bad practice, however, to move private keys
around networks unprotected, so I strongly recommend that you not remove the
passphrase until after this file is copied safely over to your Windows XP client.

Lest you be tempted to take this opportunity to bash
Microsoft, I must note that both Xsupplicant
and wpa_supplicant on Linux require you to either
use a blank passphrase or store the passphrase in
clear text in a configuration file. This is contrary
to good certificate-handling wisdom. I hope we some day
see WPA supplicants intelligent enough to prompt
the user for its certificate passphrase on startup.

The resulting file, in this example client_cert.p12, contains both
your signed certificate and its private key. Copy it to your Windows XP
client system.

Though the explanation is very comprehensive but i am very new to linux. I have suse linux 10.0 and I want it to configure as Radius server and to generate certificates for windows based clients. For that I need step by step procedures.so can i get any help??

Why not use the StartCom Certification Authority, which provides free certification? Their free certificates seem to support the needed extensions, and they also provide domain controller - smart card certificates, which could be used with freeRadius. Depending on the access paramters (guess, that's what it's all about in the next article), this certificates are unique per domain name and an administrator of a domain can control the issuance of the client certificates. The certificates of that solution don't have to be installed into a smart card, but can be used with other clients. Perhaps the StartCom certs might make the process somewhat easier, in addition to have it issued by a known CA.

Im having this problem trying to create a certificate for the client:
After issuing the command :
openssl ca -config ./openssl.cnf ...... ./client_req.pem
I get the signature ok
Siganture Ok
but when they ask me to sign the signature I press y and i get the following error:
failed to update the database
TXT_DB error number 2

no error happend to me when I tried to do the same for the server at the beginnig Im using fedora core 3 with openssl 0.9.7a-40

I believe this happens when an entry for the specific name already exists in the index.txt file.

what i did is i modified serial, serial.old, by decrementing the HEX integers contained within by 1. Then I modified index.txt, and index.txt.old by removing the last lines contained in each of the files. No problems after that.

Has anyone fixed the TXT_DB error 2?
It does have to do with the domain cause I put a different one and it signed the certificate.
I did check the database file and i get the 2 certificates, one of the with the correct domain and the other with the wrong domain......does anyone know that if I edit the wrong domain and fix it will it work?

Banged my head a few times then realized as a few others have.. when you generate the client certificate and it gets to the COMMON NAME, don't use the same host name you used on the server, just type in the host name for your client.

Now off to figure out why I get an unknown CA error when it tries to enable TLS

The issue there is, since I banged my head up against that one too is openssl didn't like me having two certs, one server and one client with the same domain name. I believe that was the issue. It's the part, and it's been a while since I've had to create them...it's the part that asks for your information, organization, state, city, etc. I believe my issue was typing in the domain information in. It didn't want to update two certs by the same domain or local or whatever that little section asked.

Check it out, play with that section because right there is where the issue was. When it's asking you the questions. Also look at the textfile database it creates. Once you open it up, you'll see what I'm talking about. What you've got to change is in there and from memory and that's poor :) it had something to do with the local or domain. It didn't like it when I used the same one.

I hope this helped and since I'm not frustrated right now all the extra flare isn't in me to bash anything!

Many many many assumptions with this article. I'm a novice!!! Do the "Pro's" need "tutorials"? I think you assume too much, like we know what the hell we're doing!!! This other dude has the same error I have, fortunately I'm the shit and figured it out although I'm just now getting past it 20 minutes later!!! Ohhhhhhh the frustration with Linux. This is why Windows is sooooo superior. It configures itself but because my manager asked me to help him out, I'll use the crappy Linux OS for now :)

Now, to fix your problem. If you don't have a sweet support ticket you can put in with the Sofware vendor like some lame ass support management...they have a privelage, they don't need to know how to troubleshoot.

I unfortunately as you...don't have the sweet support ticket to get someone else to do my work for me so we've got to figure it out ourselves.

What you need to do dude...look at the error.

My error, although similar probably has a different directory path.

Notice my crappy error.

"Error opening CA private key ./scitCA/private/cakey.pem"

You need to edit your openssl.cnf and manually type in the directory above that one, my case was ./misc/scitCA"

That should be typed into...

[ CA_default ]
dir = ./scitCA

I had to change it to get it to work. Changed to ./misc/scitCA!!! I'll change it back as soon as I move on to the next step in the guide.

I totally think this guide is not for novice's, it's for Linux Fags!!!

Why must you slam others? Personally I wonder why you would call someone a fag because they chose to use Linux. If you do however, why would you insult yourself by making comments on how Microsofts products are so much easier to use? Isn't this publicly announcing to everyone "Hey I'm not smart enough to be a Linux certified "Bitch"?"

Personally I think all of the extra crap you put in the response was completely unnecessary. If you want to help someone do so, don't slam people in doing so.

What I said was mostly out of frustratin because Linux documentation is horrible!

You shouldn't have taken it to personal, I see you probably took it personal since you have certification envy and feel the need to let people know how "smart" you are by listing all your certs. I'm surprised you didn't upload scanned copies of all your cert cards.

Moreover, what I see is you not taking your own advice, are you helping others or slamming others? At least I offer some help with a slam.

You just offer a slam and some showy certs. Weak sauce dude, weak sauce. I would expect that with a cert you'd be able to give a crum or maybe a tiny piece of your genius to help us poor helpless people out.

You are right about one thing, all the extra I put in my responses helps nobody, I was venting frustration and for that I was wrong but now it's on :)

Linux has it's merits but you have to configure the merits to no end and bang your head into the wall a million times more the MSFT. Good luck to any and all who try to use this article for freeradius intallation even if you're using the same distro!!! I tried the same distro in the article and I still had issues. I guess I'm a looser because there's no "next" button.

The article will take you there but it won't get you home, it is somewhat helpful but has it's faults. You can't just be any Geek off the street if you know what I mean (Old School Warren G quote!!!).

Great article. Not wanting to reinvent the wheel, I put this together with a real world install of FreeRADIUS on an Ubuntu server into an article I wrote on my site. I cite both this article series as well as excellent how-to for tweaking FreeRADIUS from the Ubuntu Forums site.

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.